first commit
This commit is contained in:
Abdellah ELMAKHROUBI
301
Security/User/KeycloakBearerUser.php
Normal file
301
Security/User/KeycloakBearerUser.php
Normal file
@@ -0,0 +1,301 @@
|
||||
<?php
|
||||
|
||||
|
||||
namespace ABEL\Bundle\keycloakBearerOnlyAdapterBundle\Security\User;
|
||||
|
||||
|
||||
use Symfony\Component\Security\Core\User\UserInterface;
|
||||
|
||||
class KeycloakBearerUser implements UserInterface, \Serializable
|
||||
{
|
||||
/**
|
||||
* @var string
|
||||
*/
|
||||
private $sub;
|
||||
|
||||
/**
|
||||
* @var string
|
||||
*/
|
||||
private $name;
|
||||
|
||||
/**
|
||||
* @var string
|
||||
*/
|
||||
private $email;
|
||||
|
||||
|
||||
/**
|
||||
* @var string
|
||||
*/
|
||||
private $given_name;
|
||||
|
||||
|
||||
/**
|
||||
* @var string
|
||||
*/
|
||||
private $family_name;
|
||||
|
||||
|
||||
/**
|
||||
* @var string
|
||||
*/
|
||||
private $preferred_username;
|
||||
|
||||
/**
|
||||
* @var array
|
||||
*/
|
||||
private $roles;
|
||||
|
||||
/**
|
||||
* @var string
|
||||
*/
|
||||
private $accessToken;
|
||||
|
||||
/**
|
||||
* KeycloakBearerUser constructor.
|
||||
* @param string $sub
|
||||
* @param string $name
|
||||
* @param string $email
|
||||
* @param string $given_name
|
||||
* @param string $family_name
|
||||
* @param string $preferred_username
|
||||
* @param array $roles
|
||||
* @param string $accessToken
|
||||
*/
|
||||
public function __construct(
|
||||
string $sub,
|
||||
string $name,
|
||||
string $email,
|
||||
string $given_name,
|
||||
string $family_name,
|
||||
string $preferred_username,
|
||||
array $roles,
|
||||
string $accessToken
|
||||
)
|
||||
{
|
||||
$this->sub = $sub;
|
||||
$this->name = $name;
|
||||
$this->email = $email;
|
||||
$this->given_name = $given_name;
|
||||
$this->family_name = $family_name;
|
||||
$this->preferred_username = $preferred_username;
|
||||
$this->roles = $roles;
|
||||
$this->accessToken = $accessToken;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return string
|
||||
*/
|
||||
public function getSub(): string
|
||||
{
|
||||
return $this->sub;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param string $sub
|
||||
*/
|
||||
public function setSub(string $sub): void
|
||||
{
|
||||
$this->sub = $sub;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return string
|
||||
*/
|
||||
public function getName(): string
|
||||
{
|
||||
return $this->name;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param string $name
|
||||
*/
|
||||
public function setName(string $name): void
|
||||
{
|
||||
$this->name = $name;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return string
|
||||
*/
|
||||
public function getEmail(): string
|
||||
{
|
||||
return $this->email;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param string $email
|
||||
*/
|
||||
public function setEmail(string $email): void
|
||||
{
|
||||
$this->email = $email;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return string
|
||||
*/
|
||||
public function getGivenName(): string
|
||||
{
|
||||
return $this->given_name;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param string $given_name
|
||||
*/
|
||||
public function setGivenName(string $given_name): void
|
||||
{
|
||||
$this->given_name = $given_name;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return string
|
||||
*/
|
||||
public function getFamilyName(): string
|
||||
{
|
||||
return $this->family_name;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param string $family_name
|
||||
*/
|
||||
public function setFamilyName(string $family_name): void
|
||||
{
|
||||
$this->family_name = $family_name;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param string $preferred_username
|
||||
*/
|
||||
public function setPreferredUsername(string $preferred_username): void
|
||||
{
|
||||
$this->preferred_username = $preferred_username;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return string
|
||||
*/
|
||||
public function getAccessToken(): string
|
||||
{
|
||||
return $this->accessToken;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param string $accessToken
|
||||
*/
|
||||
public function setAccessToken(string $accessToken): void
|
||||
{
|
||||
$this->accessToken = $accessToken;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Returns the roles granted to the user.
|
||||
*
|
||||
* public function getRoles()
|
||||
* {
|
||||
* return ['ROLE_USER'];
|
||||
* }
|
||||
*
|
||||
* Alternatively, the roles might be stored on a ``roles`` property,
|
||||
* and populated in any number of different ways when the user object
|
||||
* is created.
|
||||
*
|
||||
* @return array (Role|string)[] The user roles
|
||||
*/
|
||||
public function getRoles()
|
||||
{
|
||||
return $this->roles;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the password used to authenticate the user.
|
||||
*
|
||||
* This should be the encoded password. On authentication, a plain-text
|
||||
* password will be salted, encoded, and then compared to this value.
|
||||
*
|
||||
* @return string The password
|
||||
*/
|
||||
public function getPassword()
|
||||
{
|
||||
// TODO: Implement getPassword() method.
|
||||
return $this->sub;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the salt that was originally used to encode the password.
|
||||
*
|
||||
* This can return null if the password was not encoded using a salt.
|
||||
*
|
||||
* @return string|null The salt
|
||||
*/
|
||||
public function getSalt()
|
||||
{
|
||||
// TODO: Implement getSalt() method.
|
||||
return null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the username used to authenticate the user.
|
||||
*
|
||||
* @return string The username
|
||||
*/
|
||||
public function getUsername()
|
||||
{
|
||||
// TODO: Implement getUsername() method.
|
||||
return $this->preferred_username;
|
||||
}
|
||||
|
||||
/**
|
||||
* Removes sensitive data from the user.
|
||||
*
|
||||
* This is important if, at any given point, sensitive information like
|
||||
* the plain-text password is stored on this object.
|
||||
*/
|
||||
public function eraseCredentials()
|
||||
{
|
||||
// TODO: Implement eraseCredentials() method.
|
||||
}
|
||||
|
||||
/**
|
||||
* String representation of object
|
||||
* @link http://php.net/manual/en/serializable.serialize.php
|
||||
* @return string the string representation of the object or null
|
||||
* @since 5.1.0
|
||||
*/
|
||||
public function serialize()
|
||||
{
|
||||
return serialize(array(
|
||||
$this->sub,
|
||||
$this->name,
|
||||
$this->email,
|
||||
$this->given_name,
|
||||
$this->family_name,
|
||||
$this->preferred_username,
|
||||
$this->roles,
|
||||
$this->accessToken
|
||||
));
|
||||
}
|
||||
|
||||
/**
|
||||
* Constructs the object
|
||||
* @link http://php.net/manual/en/serializable.unserialize.php
|
||||
* @param string $serialized <p>
|
||||
* The string representation of the object.
|
||||
* </p>
|
||||
* @return void
|
||||
* @since 5.1.0
|
||||
*/
|
||||
public function unserialize($serialized)
|
||||
{
|
||||
list (
|
||||
$this->sub,
|
||||
$this->name,
|
||||
$this->email,
|
||||
$this->given_name,
|
||||
$this->family_name,
|
||||
$this->preferred_username,
|
||||
$this->roles,
|
||||
$this->accessToken
|
||||
) = unserialize($serialized, ['allowed_classes' => false]);
|
||||
}
|
||||
}
|
||||
138
Security/User/KeycloakBearerUserProvider.php
Normal file
138
Security/User/KeycloakBearerUserProvider.php
Normal file
@@ -0,0 +1,138 @@
|
||||
<?php
|
||||
|
||||
|
||||
namespace ABEL\Bundle\keycloakBearerOnlyAdapterBundle\Security\User;
|
||||
|
||||
|
||||
use GuzzleHttp\Client;
|
||||
use Symfony\Component\Security\Core\Exception\UnsupportedUserException;
|
||||
use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
|
||||
use Symfony\Component\Security\Core\User\UserInterface;
|
||||
use Symfony\Component\Security\Core\User\UserProviderInterface;
|
||||
|
||||
class KeycloakBearerUserProvider implements UserProviderInterface
|
||||
{
|
||||
/**
|
||||
* @var string
|
||||
*/
|
||||
private $issuer;
|
||||
/**
|
||||
* @var string
|
||||
*/
|
||||
private $realm;
|
||||
/**
|
||||
* @var string
|
||||
*/
|
||||
private $client_id;
|
||||
/**
|
||||
* @var string
|
||||
*/
|
||||
private $client_secret;
|
||||
|
||||
/**
|
||||
* KeycloakBearerUserProvider constructor.
|
||||
* @param string $issuer
|
||||
* @param string $realm
|
||||
* @param string $client_id
|
||||
* @param string $client_secret
|
||||
*/
|
||||
public function __construct(string $issuer, string $realm, string $client_id, string $client_secret)
|
||||
{
|
||||
$this->issuer = $issuer;
|
||||
$this->realm = $realm;
|
||||
$this->client_id = $client_id;
|
||||
$this->client_secret = $client_secret;
|
||||
}
|
||||
|
||||
/**
|
||||
* Loads the user for the given username.
|
||||
*
|
||||
* This method must throw UsernameNotFoundException if the user is not
|
||||
* found.
|
||||
*
|
||||
* @param string $accessToken The username
|
||||
*
|
||||
* @return UserInterface
|
||||
*
|
||||
* @throws UsernameNotFoundException if the user is not found
|
||||
*/
|
||||
public function loadUserByUsername($accessToken)
|
||||
{
|
||||
$client = new Client([
|
||||
'base_uri' => $this->issuer,
|
||||
]);
|
||||
|
||||
$response = $client->post('/auth/realms/'.$this->realm.'/protocol/openid-connect/token/introspect', [
|
||||
'auth' => [$this->client_id, $this->client_secret],
|
||||
'form_params' => [
|
||||
'token' => $accessToken,
|
||||
],
|
||||
'proxy' => [
|
||||
'http' => '', // Use this proxy with "http"
|
||||
'https' => '', // Use this proxy with "https",
|
||||
],
|
||||
'http_errors' => false
|
||||
]);
|
||||
|
||||
$jwt = json_decode($response->getBody(), true);
|
||||
|
||||
if (!$jwt['active']) {
|
||||
throw new \UnexpectedValueException('The token does not exist or is not valid anymore');
|
||||
}
|
||||
|
||||
if (!isset($jwt['resource_access'][$this->client_id])) {
|
||||
throw new \UnexpectedValueException('The token does not have the necessary permissions!');
|
||||
}
|
||||
|
||||
return new KeycloakBearerUser(
|
||||
$jwt['sub'],
|
||||
$jwt['name'],
|
||||
$jwt['email'],
|
||||
$jwt['given_name'],
|
||||
$jwt['family_name'],
|
||||
$jwt['preferred_username'],
|
||||
$jwt['resource_access'][$this->client_id]['roles'],
|
||||
$accessToken
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* Refreshes the user.
|
||||
*
|
||||
* It is up to the implementation to decide if the user data should be
|
||||
* totally reloaded (e.g. from the database), or if the UserInterface
|
||||
* object can just be merged into some internal array of users / identity
|
||||
* map.
|
||||
*
|
||||
* @return UserInterface
|
||||
*
|
||||
* @throws UnsupportedUserException if the user is not supported
|
||||
* @throws UsernameNotFoundException if the user is not found
|
||||
*/
|
||||
public function refreshUser(UserInterface $user)
|
||||
{
|
||||
if (!$user instanceof KeycloakBearerUser) {
|
||||
throw new UnsupportedUserException(sprintf('Instances of "%s" are not supported.', get_class($user)));
|
||||
}
|
||||
|
||||
$user = $this->loadUserByUsername($user->getAccessToken());
|
||||
|
||||
if (!$user) {
|
||||
throw new UsernameNotFoundException();
|
||||
}
|
||||
|
||||
return $user;
|
||||
}
|
||||
|
||||
/**
|
||||
* Whether this provider supports the given user class.
|
||||
*
|
||||
* @param string $class
|
||||
*
|
||||
* @return bool
|
||||
*/
|
||||
public function supportsClass($class)
|
||||
{
|
||||
return KeycloakBearerUser::class === $class;
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user